Kibana logs out after opening SIEM page

Kerwood · November 7, 2019, 1:43pm

Upgrade from 6.x to 7.3.2. Everything works except the SIEM tab. When ever I go to the SIEM tab, I get logged out and redirected to the login page. I’m not using and proxy in front, so thats not the problem.

Elasticsearch/Kibana version: 7.3.2

The logs output this error.

Oct 29 11:19:52 PRESC01 kibana[92260]: { Error: Not Found
Oct 29 11:19:52 PRESC01 kibana[92260]: at handler (/usr/share/kibana/src/legacy/server/http/index.js:113:29)
Oct 29 11:19:52 PRESC01 kibana[92260]: at module.exports.internals.Manager.execute (/usr/share/kibana/node_modules/hapi/lib/toolkit.js:35:106)
Oct 29 11:19:52 PRESC01 kibana[92260]: at Object.internals.handler (/usr/share/kibana/node_modules/hapi/lib/handler.js:50:48)
Oct 29 11:19:52 PRESC01 kibana[92260]: at exports.execute (/usr/share/kibana/node_modules/hapi/lib/handler.js:35:36)
Oct 29 11:19:52 PRESC01 kibana[92260]: at Request._lifecycle (/usr/share/kibana/node_modules/hapi/lib/request.js:263:62)
Oct 29 11:19:52 PRESC01 kibana[92260]: data: null,
Oct 29 11:19:52 PRESC01 kibana[92260]: isBoom: true,
Oct 29 11:19:52 PRESC01 kibana[92260]: isServer: false,
Oct 29 11:19:52 PRESC01 kibana[92260]: output:
Oct 29 11:19:52 PRESC01 kibana[92260]: { statusCode: 404,
Oct 29 11:19:52 PRESC01 kibana[92260]: payload:
Oct 29 11:19:52 PRESC01 kibana[92260]: { statusCode: 404, error: 'Not Found', message: 'Not Found' },
Oct 29 11:19:52 PRESC01 kibana[92260]: headers:
Oct 29 11:19:52 PRESC01 kibana[92260]: { 'kbn-name': 'kibana',
Oct 29 11:19:52 PRESC01 kibana[92260]: 'kbn-xpack-sig': '37fa0a487b714a7c397e35e10c1b1322' } },
Oct 29 11:19:52 PRESC01 kibana[92260]: reformat: [Function],
Oct 29 11:19:52 PRESC01 kibana[92260]: message: 'Not Found',
Oct 29 11:19:52 PRESC01 kibana[92260]: typeof: [Function: notFound] }
Oct 29 11:19:52 PRESC01 kibana[92260]: redirecting to  /login

The WebUI briefly show this:

  JSON.parse: unexpected character at line 1 column 1 of the JSON data

Any ideas why the SIEM tab does not work?..

Here’s a screenshot from the developer tab.

Vasinkin · November 7, 2019, 7:20pm

Can confirm on Kibana v 7.3.2, ROR enterprise-1.18.7_es7.3.2
Same as APM app.

Do you need any logs?

Kerwood · November 8, 2019, 10:47am

Im on: ReadonlyREST Security version pro-1.18.7_es7.3.2

sscarduzio · November 8, 2019, 10:50am

Thanks for the feedback guys, can you check if Elasticsearch has some FORBIDDEN log lines or anything interesting when you experience this?

Kerwood · November 8, 2019, 11:30am

Nope… literally nothing shows

sscarduzio · November 10, 2019, 5:52pm

I just tried with version enterprise-1.18.8-20191109_es7.3.2 using our docker image, it works well. Both in “admin” and “rw” kibana access mode.

Kerwood · November 11, 2019, 8:18am

Here’s my access_control_rules.

    - name: IT - RW ALL
      type: allow
      kibana_access: admin
      ldap_auth:
          name: "ldap1"
          groups: ["admin-group"]
      verbosity: error # don't log successful request

sscarduzio · November 11, 2019, 1:33pm

yeah it’s functionally the same. Can you reproduce with 1.18.8?

Kerwood · December 10, 2019, 8:12am

Just upgraded to ES 7.4.2 and ROR 1.18.9 and the error still occurs. Nothing has changed.

A fresh stack trace.

Dec 10 09:04:14 PRESC01 kibana[7601]: { Error: Not Found
Dec 10 09:04:14 PRESC01 kibana[7601]: at handler (/usr/share/kibana/src/legacy/server/http/index.js:113:29)
Dec 10 09:04:14 PRESC01 kibana[7601]: at module.exports.internals.Manager.execute (/usr/share/kibana/node_modules/hapi/lib/toolkit.js:35:106)
Dec 10 09:04:14 PRESC01 kibana[7601]: at Object.internals.handler (/usr/share/kibana/node_modules/hapi/lib/handler.js:50:48)
Dec 10 09:04:14 PRESC01 kibana[7601]: at exports.execute (/usr/share/kibana/node_modules/hapi/lib/handler.js:35:36)
Dec 10 09:04:14 PRESC01 kibana[7601]: at Request._lifecycle (/usr/share/kibana/node_modules/hapi/lib/request.js:263:62)
Dec 10 09:04:14 PRESC01 kibana[7601]: data: null,
Dec 10 09:04:14 PRESC01 kibana[7601]: isBoom: true,
Dec 10 09:04:14 PRESC01 kibana[7601]: isServer: false,
Dec 10 09:04:14 PRESC01 kibana[7601]: output:
Dec 10 09:04:14 PRESC01 kibana[7601]: { statusCode: 404,
Dec 10 09:04:14 PRESC01 kibana[7601]: payload:
Dec 10 09:04:14 PRESC01 kibana[7601]: { statusCode: 404, error: 'Not Found', message: 'Not Found' },
Dec 10 09:04:14 PRESC01 kibana[7601]: headers:
Dec 10 09:04:14 PRESC01 kibana[7601]: { 'kbn-name': 'kibana',
Dec 10 09:04:14 PRESC01 kibana[7601]: 'kbn-xpack-sig': '37fa0a487b714a7c397e35e10c1b1322' } },
Dec 10 09:04:14 PRESC01 kibana[7601]: reformat: [Function],
Dec 10 09:04:14 PRESC01 kibana[7601]: message: 'Not Found',
Dec 10 09:04:14 PRESC01 kibana[7601]: typeof: [Function: notFound] }
Dec 10 09:04:14 PRESC01 kibana[7601]: redirecting to  /login

Kerwood · December 10, 2019, 2:31pm

@sscarduzio Its not just the SIEM page… Its a bit random on different pages.

ld57 · December 10, 2019, 3:16pm

yep it seems related to the same thing I posted.

Kerwood · December 11, 2019, 8:04am

@ld57 Posted where ?

ld57 · December 11, 2019, 8:09am

in the forum.

i think it is related to error response interpretation

sscarduzio · December 11, 2019, 12:10pm

Found a fix, will publish a pre.

sscarduzio · December 11, 2019, 6:59pm

@all the builds are ready, please DM me and tell me for what Kibana version you need!

ld57 · December 12, 2019, 5:09pm

I tested on my side the siem module, with the 1.18.10-pre1

there is no more kick out to login screen, this is fixed

Kerwood · December 16, 2019, 10:31am

Nice… When can we expect it on the download page ? @sscarduzio

sscarduzio · December 18, 2019, 9:48pm

@coutoPL WDYT we can release 1.18.10?

coutoPL · December 19, 2019, 11:50am

yes, IMO we can release 1.18.10

nvidia · December 23, 2019, 11:14am

Have the same issue, can you sent me the build for 7.4.2 kibana?